If you believe that you have discovered a security or privacy vulnerability in our open source software, please report it to us using the GitHub private vulnerability feature. Reports should include specific product and software version(s) that you believe are affected; a technical description of the behavior that you observed and the behavior that you expected; the steps required to reproduce the issue; and a proof of concept or exploit.

Reports concerning known, publicly disclosed CVEs can be submitted as normal issues to this project. Output from automated security scans or fuzzers must include additional context demonstrating the vulnerability with a proof of concept or working exploit. Application crashes due to malformed inputs are typically not treated as security vulnerabilities, unless they are shown to also impact other processes on the system.

While we welcome reports for open source software projects, they are not eligible for Apple Security Bounties.